from the Title:-III,-Privacy:-0 dept

US authorities intercepted and recorded millions of phone calls last year under a single wiretap order, authorized as part of a narcotics investigation.

The wiretap order authorized an unknown government agency to carry out real-time intercepts of 3.29 million cell phone conversations over a two-month period at some point during 2016, after the order was applied for in late 2015.

This detail, contained in the US Courts' latest wiretap report, shows how much the government can get with a single wiretap order. Using assertions of "training and expertise," US drug warriors intercepted millions of phone calls, ringing up a $335,000 third-party phone bill in the process.

But hey, the Drug War can't be won without casting a wide dragnet. Drug conspiracies are vast and far-reaching, often leading law enforcement to bigger fish further down the line. Or so the affidavit assertions say…

But the authorities noted that the surveillance effort led to no incriminating intercepts, and none of the handful of those arrested have been brought to trial or convicted.

To recap:

1 wiretap warrant

$335,000 spent

3.3 million communications intercepted

0 convictions

The statutes governing wiretap warrants designate they should only be used when all other, less-intrusive investigative methods have failed. The fact that these 3.3 million communications failed to add up to a single conviction suggests other investigative methods weren't fully explored before a judge autographed this warrant request. To be fair to the judge, the requesting agency probably wasn't forthcoming about its previous investigative ventures.

The FISC report showed that that court denied in full 8 of 1485 individual US based applications, at a rate of .5%, along with partially denying or modifying a significant number of others.

The Article III report showed that out of 3170 requests, state and federal courts denied just 2 requests.

[...]

That’s a denial rate of .06%.

If there's good news to be gleaned from this report, it's that the number of wiretap orders obtained has dropped dramatically over the last year.

A total of 3,168 wiretaps were reported as authorized in 2016, compared with 4,148 the previous year. Of those, 1,551 were authorized by federal judges, compared with 1,403 in 2015. A total of 1,617 wiretaps were authorized by state judges, compared with 2,745 in 2015.

There's been a slight uptick in federal court approvals, but a dramatic downturn in state court approvals. Most of this drop can likely be linked to 0 being under the direction of a new District Attorney, who has stepped up to curb the wiretap abuses by his predecessor. For several years, the DEA -- which should be running its wiretap requests through federal courts -- was running its wiretap affidavits past an absentee DA and a very compliant (and efficient) state court judge.

Nearly all of that surveillance was authorized by a single state court judge in Riverside County, who last year signed off on almost five times as many wiretaps as any other judge in the United States. The judge's orders allowed investigators — usually from the U.S. Drug Enforcement Administration — to intercept more than 2 million conversations involving 44,000 people, federal court records show.

Officials approved another 607 wiretaps in 2015, according to the figures released by the district attorney’s office. Most were approved in the first half of the year, before [new DA Mike] Hestrin said he installed a “stricter” standard that required every new wiretap application to have a “strong investigatory nexus” to Riverside County.

Taps have dwindled since then. So far this year [2016], Hestrin has approved only 14. In the first two months of last year, his office approved 126.

As Heath's report notes, this single DA's office and single state court judge were once responsible for 20% of the nation's state court-approved wiretaps. This no longer is the case, and the DEA's recent legal troubles associated with these questionable wiretaps has probably pushed it towards seeking more federal judges' signatures last year -- something it should have been doing all along.

from the man-of-the-people dept

For decades, inmate calling service (ICS) telcos have charged inmates and their families upwards of $14 per minute for phone calls without anybody giving much of a damn. Because these folks are in prison, and as we all know everybody in prison is always guilty, drumming up sympathy to convert into political momentum had proven difficult. But after decades of activism, the FCC intervened in 2013 and again in 2015, voting to cap the amount companies can charge the incarcerated for intrastate phone calls. This resulted in a firestorm of complaints from these companies, which not only get to rip off inmates, but have all too cozy and often not particularly legal relationships with law enforcement.

One of the more vocal ICS outfits, Securus, quickly sued the FCC, going so far at one point as to claim that inmates would riot if the company wasn't allowed to continue overcharging inmates and their families. Securus, Global Tel*Link and other providers challenged the FCC's intrastate rate caps in the US Court of Appeals for the DC Circuit, claiming the agency lacked the adequate authority to set caps and that the rates were too low. And for the last several years, the FCC had been working to defend its actions in court.

"As a result of these changes in membership, the two Commissioners who dissented from the Order under review—on the grounds that, in specific respects, it exceeds the agency’s lawful authority—now comprise a majority of the Commission," Gossett wrote. Gossett is thus no longer authorized to defend the FCC's previous contention that it "has the authority to cap intrastate rates for inmate calling services" and cannot defend the FCC's assertion that it "lawfully considered industry-wide averages in setting the rate caps contained in the Order," he wrote."

Despite Pai suddenly undermining the agency's own lawyers, all is not lost quite yet:

"Gossett said he will continue to defend other parts of the commission's October 2015 order, which also lowered the price of interstate calls, those that cross state lines. Despite the FCC's various losses, a 2013 decision to set interim rate caps of 21¢ to 25¢ per minute for interstate calls has survived court challenges...The FCC's decision to stop defending the full order hurts the case for maintaining rate caps on intrastate calls in which both parties are in the same state, but it doesn't completely kill the case. The FCC is ceding 10 minutes of its allotted argument time to attorney Andrew Schwartzman, who is defending the rate caps on behalf of prisoners' rights groups."

It's worth reiterating that voice services these days cost very little to actually provide. Also keep in mind that Securus and other such companies are part of a dangerously cozy and captive market, where prisons get paid upwards of $460 million annually in "concession fees" (read: kickbacks) to score exclusive, lucrative prison contracts. In this comically absurd environment, the service pricing and quality are just about what you'd expect. Government oversight of these businesses have been virtually non-existent, in part thanks to accusations that these companies have allowed some law enforcement to monitor what should be privileged attorney client communications.

The fact that making it easier to rip off inmates was new boss Pai's first move in office should tell you plenty about just how far his dedication to "closing the digital divide" is going to go. That's before you realize that Pai's other early actions have involved preventing 9 pre-approved ISPs from helping the poor, killing an FCC plan to bring competition and cheaper rates to the cable box, and killing all FCC Net neutrality enforcement moving forward. With friends like these...

from the we-said-JUMP dept

Belgium has fined Skype €30,000 for failing to comply with a court request to intercept users' communications, something Skype claims was technically impossible at the time of the request.

According to Het Belang van Limburg, a Dutch-language newspaper in Belgium, the fine was delivered by the court in Mechelen because Skype had failed, in September 2012, to deliver up anything more than metadata in response to an investigation into a criminal organisation.

The court, failing to understand anything but its power to order people around, demanded that Skype turn over communications. Skype turned over the only thing it could actually obtain, explaining that its architecture didn't support the interception of calls. No dice. That only made the court angry.

The court was no more happy to have pointed out to it that Microsoft didn't actually fall under its jurisdiction. It maintains no data centers in Belgium, nor does it have anyone employed there. Microsoft suggested the court work with governments of countries where it actually maintains a presence and utilize their mutual assistance treaties.

None of these facts appear to have mattered. The court says Microsoft should be able to do the impossible because the law is the law.

Het Belang van Limburg quoted prosecutor Tim Hoogenbemt as saying: "Skype offers services in our country, so it needs to know the laws. And therefore know that the court may ask interception measures."

Sometimes the law isn't the law, though. Microsoft pointed out the law doesn't actually apply to it since it's a software provider, rather than a service provider.

And sometimes the law is an ass. The fine is still in place despite arguments of impossibility, illegality, and "not applicable" to the contrary. It may not stick. Microsoft is appealing the decision.

This isn't the first time Belgian courts have overreached. Back in 2009, Belgian officials blew off perfectly workable mutual assistance treaties, demanding user information directly from Yahoo's US headquarters. Yahoo, like Microsoft, pointed out that it has no data centers or employees in Belgium. Instead of rethinking its approach, the government took the company to criminal court. That court, like this one, decided to fine the company for doing the exact thing it was supposed to be doing: protecting its users' privacy.

And that's not the limit of Belgian exceptionalism. A "royal decree" from the Belgian government (which bypasses the Parliamentary approval process needed for actual legislation) forces ISPs to collect and store tons of info on their subscribers, including how many emails are sent, VoIP use (hello, Skype!), call metadata, etc. -- just in case law enforcement might need it. When it was pointed out this decree violated the EU's privacy directive, the government shrugged and called the agreement it signed "obsolete."

Given these decisions, it's not even useful advice to suggest just not doing business in Belgium. It quite obviously doesn't matter to the courts where the data or communications they're seeking are actually located.

from the wat dept

You don't often see a journalist argue for more government secrecy. In fact, you never see this. This makes Matt Yglesias' piece for Vox more than an oddity. His argument for a broad FOIA exemption covering the single most-used form of government communications appears to be motivated by two things:

When Yglesias seeks a comment from a public official, they often want to call. Why? Because a phone call doesn't create a permanent record of the conversation. This is exactly why journalists would much rather take comments in the form of an email. Or should want to. It's a much better reason than Yglesias', which is that he just doesn't want to be hassled by phone calls. Yglesias feels the real problem here isn't public officials not wanting to go on the record, but the Freedom of Information Act's supposedly inconsistent take on communications.

The issue is that while common sense sees email and phone calls as close substitutes, federal transparency law views them very differently. The relevant laws were written decades ago, in an era when the dichotomy between written words (memos and letters) and spoken words (phone calls and meetings) was much starker than it is today. And because they are written down, emails are treated like formal memos rather than like informal conversations. They are archived, and if journalists or ideologically motivated activists want to get their hands on them, they can.

This argument might make some sense if Yglesias had ever advocated for the alteration of federal statutes like the Electronic Communications Privacy Act or the Third Party Doctrine that have been abused for years by government agencies with complete disregard for wholesale changes in personal communication preferences. (Under the Yglesias theory, phone calls = emails, so the government should need a wiretap warrant to access the contents of these communications, rather than just regular search warrants.)

Furthermore, he's simply wrong about the FOIA's treatment of phone calls and emails. If a public record is generated by a phone call, it too can be accessed with a FOIA request. One example would be 911 calls, which are always recorded and are considered public records.

But searching through the hundreds of pieces Yglesias has written won't uncover anything that indicates he feels the American public should also be a beneficiary of updated laws that better reflect the shift away from phone calls as a primary communications method. It's too late for Hillary Clinton to benefit from this proposed alteration, but presumably other politicians Yglesias cares deeply for will find themselves freed from the tyranny of transparency.

Part of Yglesias' argument for a blanket email exception is that these are often informal communications -- not really the sort of thing the government should feel compelled to hand over. Yglesias says there's "no public interest" in documents that don't contain official policy directives, etc. But he's wrong. There's an incredible amount of public interest in government communications, as these often provide glimpses of the government's inner workings that just aren't visible when boiled down to policy memos and talking points.

His next justification, however, is baffling in its inadvertent self-contradiction.

Under current law, if Bill Clinton wants to ask his wife to do something wildly inappropriate as a favor to one of his Clinton Foundation donors, all he has to do is ask her in person. But disclosure laws sit as a constant threat to the adoption and use of efficient communications tools. Your smartphone isn’t primarily for making phone calls, but the stuff you do on your “phone” — communicating with other human beings in your life — is the social and economic equivalent of a phone call. It ought to be legally treated that way too.

In other words, public figures have a number of ways to avoid generating public records about questionable activities. The solution, according to Yglesias, is to GIVE THEM ANOTHER ONE.

Yglesias says there are all sort of communications government officials should never need to worry about being made public. This will supposedly give us a more "effective" government, unconstrained by worries about what the public might think.

There are a lot of things that colleagues might have good reason to say to one another in private that would nonetheless be very damaging if they went viral on Facebook:

Healthy brainstorming processes often involve tossing out bad or half-baked ideas in order to stimulate thought and elevate better ones.

A realistic survey of options may require a blunt assessment of the strengths and weaknesses of different members of the team or of outside groups that would be insulting if publicized.

Policy decisions need to be made with political sustainability in mind, but part of making a politically sustainable policy decision is you don’t come out and say you made the decision with politics in mind.

Someone may want to describe an actual or potential problem in vivid terms to spur action, without wanting to provoke public panic or hysteria through public discussion.

If a previously embarked-upon course of action isn’t working, you may want to quietly change course rather than publicly admit failure.

It's as if Yglesias is completely unaware that there are existing FOIA exemptions that cover the sort of "deliberative documents" that these conversations -- if handled via email -- would generate.

But in the context of the Clinton email scandal -- which Yglesias himself says can't be "ignored" when discussing a shift away from government transparency -- this proposal would have prevented the public from learning the following about the leading presidential candidate:

- She deployed her own private email server despite being warned against doing so, and while receiving input from other officials who hinted it might be a good way to route around public record requirements.

- She handled classified information carelessly and incompetently.

This is stuff the public needs to know, but Yglesias apparently feels anything contained in a public official's inbox should be treated as the ephemeral contents of a phone call or a whispered conversation. And he offers up this proposal with seemingly complete unawareness of how combative the FOIA process already is -- and how often the government stalls, levies fees, abuses exemptions, performs deliberately inadequate searches, etc. to further distance requesters from the records they not only seek, but federal law says they're entitled to.

And, if you think I'm being too harsh on Yglesias for taking an implicit pro-Clinton stance in his call for less government transparency, his track record speaks for itself. This is why we steer clear of partisanship here at Techdirt. This makes advocating for greater transparency, changes in law, etc. sincere, rather than motivated by how it will affect various writers' "teams."

Yglesias has dug himself into a hole with this article. He'll presumably keep his head down when politicians he doesn't care for start making noise about "too much transparency." This post shows he's not quite the journalist he believes he is and his ignorance of the reality of the FOIA process is on full display. In support of god-knows-what, Yglesias is calling for the most common method of government communication to become the government's most-used FOIA dodge. That's a dangerous proposal, especially when issued by a self-professed member of the Fourth Estate, whose job it is to help rein in the government and hold it accountable -- not give it more ideas on how to hide stuff from the people paying for it.

from the amoral-majority dept

For many, many years interstate inmate calling service (ICS) companies have charged inmates and their families upwards of $14 per minute for phone calls. Because these folks are in prison, and as we all know everybody in prison is guilty, drumming up sympathy to convert into political momentum had proven difficult. But after decades of activism the FCC intervened last year, voting to cap the amount companies can charge the incarcerated. According to the FCC's updated rules, ICS companies can no longer charge more than twenty-two cents per minute -- depending on the size of the prison. Caps were also placed on the fees companies could charge those trying to pay these already bloated bills.

The companies profiting off of ripping off the incarcerated have unsurprisingly been fighting the FCC's proposal tooth and nail in the courts. Global Tel*Link (GTL) and Securus Technologies managed to win a partial stay earlier this month (pdf) that put the FCC's per minute price caps on hold until a lawsuit against the FCC is decided. FCC lawyers have argued (pdf) the stay still lets them apply older (2013) interim price caps on interstate calls to intrastate calls until the case is settled.

"This chaos and confusion about what is the correct intrastate calling rate—and the only answer is that there is no federally mandated intrastate calling rate after the Court's March 7 Order which stayed all new rates—will carry over into correctional facilities themselves. Inmates will be angry if they believe that Securus is charging the wrong rates. There could be damage to Securus phones and equipment, as well as a threat to overall security and corrections personnel including inmates within the facilities. Having been in this industry for eight years, I have experience with jail unrest and I know that issues with the phones can trigger it."

In other words, if inmates that have been ripped off for decades suddenly believe they'll be facing lower rates -- and Securus keeps charging the higher rates -- they'll riot. While it's incredibly sweet of the company to be so concerned with prisoner safety, it's odd that Securus wasn't all that concerned with inmates rioting earlier, given these companies have been charging Mercedes prices for what's arguably a Yugo-grade product for the better part of a generation.

Keep in mind that voice services these days cost very little to actually provide. Also keep in mind that Securus and other such companies are part of a dangerously cozy and captive market, where prisons get paid upwards of $460 million annually in "concession fees" (read: kickbacks) to score exclusive, lucrative prison contracts. As a result, the service pricing and quality are just about what you'd expect. And as a hack of Securus late last year revealed, these contracts appear to involve helping government record potentially privileged attorney client conversations (Securus just settled a 2014 Texas case claiming precisely this).

So again, ripping off consumers for years? Ok. Working in concert with government to record privileged communications? Fine. Croynistic, monopoly control over a (literally) captive audience resulting in abysmal service? Sure! Trying to prevent inmate families from having to take out a second mortgage to speak to their loved ones? Inevitable riots, safety first!

from the institutional-apathy dept

A few months ago the FCC voted to crack down on the ripping off of inmates and their families by prison telecom companies, which for decades now have charged upwards of $14 per minute for services that cost little to nothing to provide. At the time, prison telecom companies like Securus complained hysterically about the FCC's decision, CEO Richard Smith declaring the new price caps would have a "devastating effect" on its business, potentially ending its participation in "services and continuing inmate related programs."

According to a massive new trove of data obtained by the Intercept, one of the "services" Securus was apparently providing was of the wholesale spying variety. Hacker-obtained data examined by The Intercept includes 70 million records of phone calls (and recordings of the phone calls themselves), placed by prisoners in at least 37 different states over a two-and-a-half year period. Of particular note are the estimated 14,000 recordings of privileged conversations between inmates and their lawyers:

"This may be the most massive breach of the attorney-client privilege in modern U.S. history, and that’s certainly something to be concerned about,” said David Fathi, director of the ACLU’s National Prison Project. “A lot of prisoner rights are limited because of their conviction and incarceration, but their protection by the attorney-client privilege is not."

Securus alone provides telecom services and "secure" storage of communications for 2,200 prisons around the United States, processing a million or so calls each day. Securus and other such companies serve a relatively captive and unregulated market, where prisons are paid upwards of $460 million annually in "concession fees" (read: kickbacks) to win exclusive telecom-related prison contracts. Part of Securus' pitch to prisons is that it will offer cutting edge secure storage for these communications, though the Intercept notes this latest hack wasn't the first.

Prisoners obviously don't expect the full historical right to privacy; indeed Securus makes sure to include a message warning inmates that "this call is from a correctional facility and may be monitored and recorded" at the beginning of each call. Waivers of rights and the monitoring and securing of phone communications was originally pushed as a way to prevent riots, witness tampering and generally secure the prison back in the 90s. But as the Intercept points out, that doesn't make the long-term storage of this data any less problematic, and securing the facility certainly shouldn't include recording secure communications between inmates and their lawyers. A behavior, it should be noted, Securus itself claimed it didn't do:

"A review of contracts and proposals completed by Securus in a handful of states reflects the company’s understanding of this right. In a 2011 bid to provide phone service to inmates in Missouri’s state prisons, Securus promised that each “call will be recorded and monitored, with the exception of privileged calls.” But the database provided to The Intercept shows that over 12,000 recordings of inmate-attorney communications, placed to attorneys in Missouri, were collected, stored, and ultimately hacked."

The Intercept's findings are particularly problematic for Securus, since the company is the target of a federal civil rights suit filed in Texas in 2014. That suit, by the Austin Lawyers Guild and a prisoners' advocacy group, alleges that Securus had been recording privileged conversations, and that intrusion into this communications (and the prosecutors' failure to disclose this information during discovery) undermines the legal ability to defend them. This despite Securus contracts explicitly stating that phone calls "to telephone numbers known to belong [to] attorneys are NOT recorded," and that "if any call to an attorney is inadvertently recorded, the recording is destroyed as soon as it is discovered." Or not.

The Intercept's latest findings not only stumble into yet another expansion of our wholesale surveillance state, but exemplify the kind of apathy about the prison industrial complex that allowed Securus to aggressively rip off inmates and families in the first place. "They're in prison so they deserve it" is a common refrain from the apathetic to the rights trampling of the guilty, the innocent, and the millions of Americans serving massive prison sentences for relatively innocuous marijuana offenses. On a positive note the Intercept's latest leak was courtesy of The Intercept's Tor-enabled SecureDrop platform, another sign we're (hopefully) moving past the Assange middleman era into one where the traditional media -- with a little help -- actually does its job.

The U.S. Court of Appeals for the Second Circuit declined to adopt a rule that agents get a "two-minute presumption" on the reasonableness of wiretapping calls that are personal in nature.

The circuit did so while dismissing a civil suit brought against FBI agents by a woman who claimed her privacy was violated when agents taped intimate phone calls between herself and her husband during a criminal investigation.

The circuit said the woman, Arlene Villamia Drimal, will be allowed to file a new complaint against the agents.

Drimal is the wife of convicted insider trader Craig Drimal. She sued 16 FBI agents for conversations they overheard in 2007 and 2008 while executing a wiretap secured under Title III of the Omnibus Crime Control and Safe Streets Act of 1968, §§2510-2522.

This doesn't necessarily "put to death" the two-minute window on personal calls FBI agents grant themselves, contrary to Drimal's lawyer's claims. The ruling is very specifically narrowed to cover only the FBI agents' actions in this case. The 16 agents listed in Drimal's lawsuit moved for dismissal, citing qualified immunity and pointing to a previous decision which allowed the FBI approximately two minutes to ascertain a call's purpose and relevance.

They cited the Second Circuit case of United States v. Bynum, 485 F.2d 490 (2d Cir. 1973), where the court held a wiretap that monitored 2,058 in a large narcotics case did not violate Title III minimization requirement.

The Bynum court excluded calls under two minutes from its evaluation of the wiretap because "in a case of such wide-ranging criminal activity as this, it would be too brief a period for an eavesdropper even with experience to identify the caller and characterize the conversations as merely social or possibly tainted."

The FBI has an indeterminate amount of time to discern the intent and content of wiretapped calls, with an obligation to disconnect as soon as it's surmised the phone call has no investigatory relevance. This still remains in force, even with this rejection of its "two minute" argument. Without a doubt, this allowance has been abused to listen in on phone calls of a personal nature, but its intent is to minimize privacy violations while still allowing agents to collect evidence. What distinguishes this case from others is that the FBI agents were caught not "minimizing" wiretapped calls in violation of the court order authorizing the wiretap. This abusive behavior was called out by the presiding judge.

This case does not present the same circumstances as Bynum. Many of the violations here took place in the early stages of the wiretap when defendants were less familiar with the case and with Mrs. Drimal’s lack of involvement in it, but the agents should have realized reasonably early in the wiretap that these husband and wife conversations were not relevant to the investigation. As Judge Sullivan noted in Goffer, Mr. and Mrs. Drimal occasionally discussed “deeply personal and intimate” issues, 756 F. Supp. 2d at 594, and “in each of these calls it should have been apparent within seconds that the conversation was privileged and non‐pertinent,” id. at 595.

As a result, the reasoning from Bynum that it would be too difficult to minimize calls under two minutes is not applicable here where agents could determine in seconds that the calls between husband and wife were entirely personal in nature. The two‐minute presumption we applied in Bynum thus does not automatically shield defendants against the failures to minimize calls under two minutes that the putative amended complaint is likely to allege.

On one hand, the ruling undercuts the FBI's assumption that all calls under two minutes in length can be listened to in their entirety, no matter their relevance to ongoing investigations. On the other hand, the ruling cannot be applied broadly to other FBI wiretapping efforts. Civil suits brought over alleged privacy violations aren't going to be any easier to pursue as the "window" for FBI eavesdropping is still wide open, what with the Bynum ruling only applying to the specific facts of that case, rather than FBI wiretapping in general.

Drimal's case was aided by a couple of unlikely incidents, one of which was two agents' open admissions that they had listened to privileged phone calls. The other factor weighing into this decision was the very specific instructions the agents received, not only from the court issuing the wiretap order, but also from the US State's Attorney. Without these two elements, the FBI would likely have been found to be acting lawfully within the confines of its wiretap policies and applicable court orders.

from the thank-you-snowden dept

We already covered the fact that the DEA had a phone tracking program similar to the NSA's that we've been debating. As we noted in our post, that DEA phone tracking program was actually revealed years ago in a NY Times report, though it didn't get that much attention at the time. Yesterday, USA Today's Brad Heath did a much more detailed report on the details of the program -- including how massive it was, how little oversight there was (basically none) and how widely it was used (all the time). But there was one element that seemed important enough to call out separately: this program has been ended and it's entirely because of Ed Snowden. While there's still a fight going on over whether or not the NSA program will continue after June 1st (when Section 215 of the PATRIOT Act expires), Heath's reporting notes that the DOJ realized the DEA program could not continue -- once it realized how similar it was to the NSA program:

Holder pulled the plug on the phone data collection in September 2013.

That summer, Snowden leaked a remarkable series of classified documents detailing some of the government's most prized surveillance secrets, including the NSA's logging of domestic phone calls and Internet traffic. Reuters and The New York Times raised questions about the drug agency's own access to phone records.

Officials said the Justice Department told the DEA that it had determined it could not continue both surveillance programs, particularly because part of its justification for sweeping NSA surveillance was that it served national security interests, not ordinary policing. Eight months after USTO was halted, for example, department lawyers defended the spy agency's phone dragnet in court partly on the grounds that it "serves special governmental needs above and beyond normal law enforcement."

Three months after USTO was shut down, a review panel commissioned by President Obama urged Congress to bar the NSA from gathering telephone data on Americans in bulk. Not long after that, Obama instructed the NSA to get permission from the surveillance court before querying its phone data collection, a step the drug agency never was required to take.

The DEA stopped searching USTO in September 2013. Not long after that, it purged the database.

"It was made abundantly clear that they couldn't defend both programs," a former Justice Department official said. Others said Holder's message was more direct. "He said he didn't think we should have that information," a former DEA official said.

Think about this, though: the program lasted for more than two decades before anyone bothered to even consider this idea. And it was only once the other database (which actually had a lot more strict access controls) started getting negative press that Justice Department officials realized they had no real legal basis for the DEA program.

Who, again, is watching the watchers? While some have argued that Snowden's revelations have not (yet) resulted in the NSA's surveillance programs being stopped, it seems pretty clear that he was directly responsible for this DEA program being shut down completely and the data purged.

from the faster-turnaround-this-time,-though dept

More information has surfaced on the NSA's worldwide phone metadata collections. A leaked document provided to Norwegian paper Dagbladet shows that metadata on over 33 million Norwegian calls was collected in a single month.

"Friends should not monitor each other," Norway's prime minister Erna Solberg told Norwegian broadcaster NRK on Tuesday. "It is legitimate to engage in intelligence, but it should be targeted and suspect based."

"It is unacceptable for allies to engage in intelligence against each other's political leadership," added justice minister Anders Anundsen...

According to Dagbladet, Norwegian phone companies NetCom and Telenor both deny giving the NSA access to their systems.

Torstein Olsen, head of Norway's telecoms regulator, said that it was illegal for anyone apart from telecommunications companies to collect such data.

"If Dagbladet's information is correct that 33 million mobile phone calls in Norway were registered by someone other than the telecommunication companies, that would be a crime under Norwegian law," he said.

This is in line with the responses offered by other US allies who have been made aware of the NSA's efforts via Snowden's leaks. The ODNI hasn't even bothered offering a denial, perhaps suggesting it would rather deal with its domestic issues than fight the intelligence brushfires around the world. This lack of response may also be due to the fact that the NSA didn't collect this metadata directly.

What is interesting about this is the Norwegian intelligence response. The head of the NIS (Norwegian intelligence) made two seemingly contradictory statements in under 24 hours.

The head of NIS, Norway's intelligence service, Lieutenant General Kjell Grandhagen, told Dagbladet that his agency had not collaborated with US to collect the data, and had been unaware that it was being collected.

"This is data collection by Norwegian intelligence to support Norwegian military operations in conflict areas abroad, or connected to the fight against terrorism, also abroad," Lieutenant General Kjell Grandhagen, head of the Norwegian Intelligence Service, told a news conference.

"This was not data collection from Norway against Norway, but Norwegian data collection that is shared with the Americans."

Grandhagen's "deniability" seems to hinge on being asked the right question in the right way. The first answer, given shortly after the leak, may have simply been the "least untruthful." In some ways, the answer is true. The NIS does not collaborate with the NSA to collect the data. It collects the data itself and then shares it with the NSA. Grandhagen can honestly say he was unaware the NSA was collecting this data, because the NSA wasn't. The NIS was. Playing to the edges of the wording.

The second answer seems to have been composed with a little more thought and is targeted more at dispelling domestic spying rumors than pretending it never happened.

So, like other countries (France, Italy), these metadata collections are supposedly collections of calls into or out of the country, rather than solely domestic end-to-end calls. Supposedly. We've seen that the NSA's collections in the US gather plenty of metadata on solely domestic communications. Just as spokespersons are quick to assure offended countries that "everyone spies on other countries," those thinking more skeptically will be quick to respond with "and everyone says they're not spying on their own citizens, but they are."

33 million calls from one country in one month -- no matter who's doing the collecting and who's on the "share" list -- is a massive amount of data. If the NSA is being supplied with the metadata on hundreds of millions of phone calls from around the world every month, in addition to the hundreds of millions it collects domestically every 90 days, there's no way it can credibly claim to have a handle on all this data.

The C.I.A. is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company's vast database of phone records, which includes Americans' international calls, according to government officials.

This is all purely voluntary ($10mil of greased palms/wheels notwithstanding), hence the lack of court orders or subpoenas. Oddly enough, this voluntary system actually protects the privacy of Americans much better than the "legal" Section 215 collections.

The C.I.A. supplies phone numbers of overseas terrorism suspects, and AT&T searches its database and provides records of calls that may help identify foreign associates, the officials said…

Because the C.I.A. is prohibited from spying on the domestic activities of Americans, the agency imposes privacy safeguards on the program, said the officials, speaking on the condition of anonymity because it is classified. Most of the call logs provided by AT&T involve foreign-to-foreign calls, but when the company produces records of international calls with one end in the United States, it does not disclose the identity of the Americans and “masks” several digits of their phone numbers, the officials said.

Of course, these "masked" records can be very simply unmasked by "tipping" them to other agencies, like the FBI, which then acquires a subpoena/court order to "unmask" the records. This just goes to show that these agencies can cooperate, as long as its in the interest of furthering domestic surveillance.

Ultimately though, this news isn't surprising. Phone companies have been collecting government paychecks in exchange for data for a very long time. True, the telcos don't want to appear as though they're selling Americans' data for cash, but that's exactly what's happening. The CIA's primary focus is foreign surveillance and, thanks to AT&T, there's some minimization in place to keep the agency focused on its purview.

More interesting, however, is how this news affects General Alexander's "generous" offer to store data at a "neutral site" in order to alleviate privacy concerns. As was noted back when he made this offer, American telcos are hardly "neutral sites" given their history of swiftly coughing up anything requested with a minimum of pushback.

So, AT&T (and Verizon, etc.) are not "neutral" in any true sense of the word, but at least storing the data there would put the NSA in the position of having to bring its selectors to a third party before accessing stored records, rather than just having them conveniently available (and exploitable) in its own storage for an indefinite period of time. This would trim down the "accidental" abuse that has been displayed by the agency in the past.

More recently, ODNI lawyer Robert Litt (along with the FBI's general counsel) suggested storing data with the originators would lead to less privacy. Given what we know about the CIA's paid data plans, he might be correct, even if his motives for making that claim were completely disingenuous.

It would introduce extra steps, but it appears as though there would be a way to "tip" domestic data to the NSA by simply using the process it uses with the FBI. Restrictions on both the NSA and CIA are meant to minimize the amount of unrelated domestic metadata they have access to. The CIA's restrictions are harsher than the NSA's, but the CIA can still grab and let the NSA wrangle the paperwork needed to unmask numbers. Or vice versa. The NSA can access its on-site metadata stores (with unmasked numbers) and tip domestic call data back to the CIA.

Both of these scenarios are unlikely, but storing the data at AT&T seems to offer very minimal privacy advantages over storing it in the NSA's data centers. At best, this creates some mild speed bumps for the agency to deal with in exchange for a small amount of "peace of mind" privacy-wise. Most telcos have seemed even less interested protecting Americans' privacy than the inquiring agencies themselves. As you'll recall, AT&T went out of its way to perform phone record queries for the FBI for agents armed with nothing more legally binding than a Post-It note.

The other thing to note is that this is another bit of evidence that undercuts the telcos' repeated assurance that they "value their customers' privacy." This sentence is usually followed directly by defensive wording about "complying" with "applicable laws" -- which actually means "complying with intelligence agencies." There's very little true concern on display and little to no evidence AT&T (and Verizon) have ever made any serious attempt to push back on government requests.